Approve risky actions before they run Coming Soon

Surfaces used: HITL approval workflow (dashboard + notification channel) Modes supported: Hosted Tiers: Teams Status: Coming Soon -- tracked as TODO-HITL-WORKFLOW. A workaround is documented below.

What you'll do

When an AI agent attempts an action your policy marks as approval_required (production deploy, large refund, external email send), the request pauses. An approver gets a Slack / email / SMS notification with the full context, clicks Approve or Deny, and the agent either proceeds or gets a denial with reason.

Why this is the right path for you

If you want AI agents to handle high-stakes work but refuse to let them fire-and-forget, this is the pattern.
If your approver pool is small and predictable, the HITL flow beats per-request policy edits.
If you want to outright deny, use an ordinary DLP rule or policy. HITL is for "sometimes yes, sometimes no" decisions.

When NOT to use this approach

caution

If the answer is always the same ("never allow production writes from an agent"), do not wait for HITL. Write a deny rule today.

The experience (target)

Agent -> Control Zero: invoke tool "send_refund" args {amount: $9500, customer: ...}
Control Zero: policy match "high_value_refund" -> action: approval_required
Control Zero -> Slack #approvals: "Agent 'billing-bot' wants to refund $9500 to cust_123.
  [ Approve ]  [ Deny ]  [ Open context ]"
Approver clicks Approve.
Control Zero -> Agent: allow, returned to tool loop.

The current gap (tracked: TODO-HITL-WORKFLOW) is the pause-and-wait primitive on the gateway / SDK side. Everything else (policy actions, notification channels, audit) already exists.

Workaround available today

Until HITL ships, you can simulate the flow with three pieces that are already GA:

Deny with a reason in your policy for the risky action:

- name: high_value_refund
  match:
    tool: send_refund
    argument_gt: { amount: 1000 }
  action: deny
  reason: 'Refunds over $1,000 require a human approver. Reply in #approvals to authorize.'

Notify Slack on deny via alert channels. The denial reason and full tool arguments land in your review channel.
Approve by editing policy. An authorized admin adds an explicit allow override for that request id (or temporarily raises the threshold), the agent retries, and the action proceeds. Revert when done.

This is clunky, but it gives you the audit trail and the human checkpoint today. We will migrate you to first-class HITL when it ships.

Tracking

Issue: TODO-HITL-WORKFLOW
Want to pilot? Contact us.

Common follow-ups

"Set up the notify-on-deny workaround" -> Alert channels
"Write the deny rule" -> Set up DLP rules
"See what else is on the roadmap" -> Feature availability

Reference

Concepts: Policies, Notifications
API: API reference

What you'll do​

Why this is the right path for you​

When NOT to use this approach​

The experience (target)​

Workaround available today​

Tracking​

Common follow-ups​

Reference​